Business continuity planning is essential for organizations preparing for a crisis, using a business continuity policy document as a guide. Find steps on how to write a business continuity policy, a free template, and expert advice.
A business continuity policy provides high-level guidelines a company uses to ensure it can run in a crisis and keep addressing new risks. Each company’s policy is unique. To be successful, a policy needs the support of top leadership.
“The policy sets out that a company knows it cannot just sail through the good times,” explains Alex Fullick, General Manager of business continuity consultancy Stone Road Inc. “It knows it has to be able to respond to the bad times to maintain client satisfaction. A policy outlines that, first of all, a company is dedicated to ensuring employee safety and protecting shareholders, stakeholders, and partners. A policy shows that a company will prepare for, respond to, and recover from any adverse situations that it encounters to ensure public safety and employee safety.”
Top leadership and the business continuity planning committee shape the policy. The policy writers specify the business continuity plan's purpose. They also describe what facilities and processes the business continuity plan will cover.
The policy specifies key personnel who will administer the plan and outlines the role of staff in the continuity system. A business continuity policy also notes any legal, regulatory, or contractual obligations, as well as exclusions, such as service level agreements, that a company must maintain in all circumstances. Learn more about business continuity management from our article on business continuity planning.
The document defines how the company communicates to staff that the organization is implementing a business continuity management system and has the endorsement of the C-level.
Today, in the era of social media, reputation is everything. “If you're not protecting your brand, it's very easy for someone to suddenly start sending off messages in social media saying, no, they're not doing this, they're not doing that. It comes down to the brand. If you do things right, the policy protects the brand,” says Fullick.
The procedures in the business continuity plan puts the policy into action. Together both documents emphasize these elements:
Large companies usually have a business continuity policy; small companies often don’t. “I've worked for a medium-sized company, and there wasn't a documented policy,” says Fullick. “I worked for a large company that had a documented policy that the president looked at every year. In reality, he probably just signed it and added a new date.”
A written policy is mandatory for any business pursuing ISO 22301 certification. For Service Organization Control (SOC) 2 compliance, which governs how service providers manage data to ensure privacy, you need documented business continuity and disaster recovery plans. See our article to learn more about ISO 22301.
Policy also does not exist on its own. “I use the image of a three-legged stool,” explains Mike Semel, President and Chief Compliance Officer of Semel Consulting. “A three-legged stool can't stand without all of its legs. Take away a leg, it's going to fall. If you have a policy, then you have to back it up with procedures and back the procedures up with evidence that you're following them. That’s the hardest and most expensive part.” Learn more about writing procedures and work instructions in our article.
Business continuity policy templates can save you time when writing a policy. Editing an existing document takes less effort than formatting a new one and serves as a reminder to add key information.
Use our free downloadable business continuity policy template available in Microsoft Word and Google Docs formats. The document contains all the sections you might need for a policy document, along with a customizable header block and confidentiality label.
Download Simple Business Continuity Policy Template
For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
When drafting a business continuity plan, a company must write a business continuity policy document. The policy document outlines requirements for developing the business continuity plan.
Use concise, simple words when writing a business continuity policy. Write in the third person using “he,” “she,” and “it.” If possible, avoid adding information that may quickly go out of date. Consult good examples of straightforward policies for reference. (We provide examples of policy statements later in this article).
Follow this procedure to prepare your business continuity policy:
A business continuity policy is a tactical tool, but it must be grounded in company strategy, which comes from senior management (senior management could be an executive in a corporation or the owner in a small business). Mike Semel gives the example of an accounting firm with employees who thought their recovery time objective (RTO) was eight business hours. The managing partner said the company couldn’t possibly afford to recover so quickly and determined it was cheaper to pay any fees clients incurred from late filings. Thus, it’s management’s job to determine risk tolerance.
Semel explains further that companies often guess at RTO without a full understanding of what the number really means. For example, if power goes out, unless you can fire up a generator, your recovery must wait on power being restored. Thus, an eight-hour RTO clock doesn’t begin until power is restored.
“The problem with RTO is that it's usually like a hope or a wish or a guess,” he says. “The biggest flaw when it comes to recovering systems is that nobody tests them adequately. They do the backups. Every day, they get the message that the backup is successful. But they don't test recovering from the backup and trying to operate the business. Then they go to recover in a disaster, and instead of eight hours, let's say it takes 14 hours. If the policy says it should take eight hours, they either have to change the policy to say 14 hours, or they have to change the process to get it down to eight hours.”
Finally, although every business has unique needs, brevity is indeed the soul of wit for business continuity policies. “If a policy is 20, 30 pages, that means nothing, because that’s too much detail, which means too much fluff,” explains Fullick. “Policies must be short and simple: This is what it is, this is why we're doing it, and this is everyone's part in it.”
Knowing the typical format of a policy frees you to focus on the content of the document. Here is an example of a business continuity policy format:
Header Block: Depending on your company’s style, you might need to include a header block on the policy. A header block includes the policy holder, policy signatory, policy date, review cycle, and version control details.
Introduction: Policy documents might or might not include an introduction. The introduction explains why a business continuity policy is important to the organization and the fundamental reasons for the policy.
Policy Statement: The policy statement might be one paragraph or an entire page. The statement describes the purpose and aims of the business continuity policy. The statement might also be called an aim or the purpose. In some organizations, the managing director or another officer signs and dates the statement page.
Definitions: Your industry might use specialized terminology that needs clarification. Definitions can also help explain the business continuity system’s scope.
Purpose and Scope: The scope section describes the facilities, processes, and activities the policy covers. “The scope tells you what to worry about. For example, ‘We’re only worrying about our main office in Mississauga. That’s the one we have to make sure is always running 24/7,’” Fullick explains.
Policy Personnel: This section lists the individuals or roles who review, approve, and enact the policy. Those responsible for policy administration are also responsible for ensuring compliance.
Compliance: The compliance area describes the requirement for testing to verify that the business continuity plans and activities adhere to the policy.
Consequences for Non-Compliance: Detail the results of not conforming to the policy.
Confidentiality Level: The confidentiality level describes who may see the document. This label usually appears in the header or footer of each page of the policy. Outside of government, businesses typically use three confidentiality levels: confidential, wherein only management can read it; restricted, wherein only company employees can read it; and public, when anyone can read it.
References and Resources: When your business continuity planning is complex, you might have a suite of policies and plans. You might also refer to legal or regulatory documents that affect business continuity policy.
Appendixes: In some cases, it makes sense to attach documents, charts, or drawings to a policy.
A business continuity policy statement outlines the broad goals of a company’s business continuity management program. The statement sets out the scope of efforts and outlines staff roles and duties for carrying out the continuity plan.
Top leadership should sign and endorse the statement, and you should communicate the policy to all employees. A statement might include the following:
In these examples of real policy statements, note the different formats and locations of the statement within the policy document:
This healthcare business continuity policy example calls the statement an aim, but it serves the same purpose as a policy statement. Here’s an example:
Business continuity policy statements for commercial organizations tend to specify an expected time to resume service. Here’s an example:
These business continuity management policy statements might begin with a purpose, which can help you to understand business continuity systems. Universities might incorporate objectives and scope. See these examples:
A statement for a city’s business continuity policy outlines what continuity planning aims to accomplish for the city. Here’s an example:
Keep your policy simple and remember to focus on creating attainable continuity goals. Follow these best practices to enhance your business continuity policy preparation experience:
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
